robertogallea
commented
3 years ago The combination checkAddress(false) + consistentAddress(true) is the suggested option to prevent false positives (i.e. legitimate accesses blocked by checkAddress).
Also, please note that this PR just make consistentAddress explicit without actually changing anything in the configuration.
CIE populates
<saml2:SubjectLocality />and<saml2:SubjectConfirmationData />using an IP different from the client that made the request. UsingcheckAddress="false"solves the problem. However, to prevent cookie theft is suggested to use alsoconsistentAddress="true". This setting is true by default, but perhaps it is a good idea to make it explicit.